Friday, December 27, 2013

Lemons for Security - Information Asymmetry

My wife handed me an article from the Annals of Internal Medicine (Vol 157, No. 2, p.139-140) entitled "Lemons for Obesity" by Michael Lauer, MD. At first, I thought she's trying to hint that I need to lose weight but she said there's a section in the article that might apply to cybersecurity. So, my curiousity got the better of me. Dr. Lauer's article described his thought about the obesity drug Qnexa and issues with aftereffects.

What does this have to do with cybersecurity?

Lauer mentions a Nobel prize winning paper by George Akerlof on the market for bad cars aka "lemons".  He summarizes Akerlof's "lemon" scenario as follows.

"Used car buyers believe 75%  of cars are good (peaches) and 25% have problems (lemons). Buyer know lemon owners want to sell because of these car problems.  Suppose a lemon costs $5K and peaches cost $20K. The buyer has trouble distinguishing lemons from peaches based on this limited information and owners have no way to effectively communicate their inside knowledge. Suppose the buyer seeking a deal offers $16,250. Peach owner will refuse such a low-ball offer but lemon owners will jump at the offer. If on the other hand, a peach owner accepts the low offer, the buyer wonders what's wrong with the car, i.e., it must be a lemon. So, the buyer offers a lower price of say, $12,500 which the peach owner is less likely to accept. So, over time, the only cars that sell are lemons. Information Asymmetry allows bad products to drive out good products."

Twisting one of Dr. Lauer's sentences, if we think about the history of application software security, we've seen plenty of lemons.